In the fast-evolving landscape of global business, the concept of Enterprise Security Risk Management (ESRM) has emerged as a pivotal strategy for organizations aiming to safeguard their assets and ensure long-term success. While resilience-minded organizations have relied for many years now on overarching Enterprise Risk Management to manage business risk, these efforts have historically focused on operational, financial, governance, and compliance risks, with security often not reaching the level of risk register documented line items.
As cybersecurity risks have skyrocketed over the past 10 to 15 years, security risks on both the cyber and physical side are receiving board-level attention to become key cornerstones of resilience programs. As such, ESRM (Adding "security" to ERM programs) represents a paradigm shift for the industry from traditional security, often more focused on tactical measures, to a more holistic, integrated approach that aligns with an organization's overarching objectives and strategies.
At its core, ESRM is about understanding and managing the array of security risks that organizations face, from cyber threats and data breaches to physical security vulnerabilities for human, physical and non-digital information assets. It's a comprehensive framework that encourages proactive risk assessment and management, to enhance decision-making processes and business continuity.
ESRM answers the three fundamental questions for both physical and virtual assets:
- What needs to be protected? (what assets are most critical to operations)
- What do those assets truly need protection from? (what are the realistic threats likely to be faced)
- How do we best protect those assets? (while maintaining a fiscally responsible approach aligned with organization tolerance for asset harm).
Those three simple questions are the keys to paving an easy-to-follow path to plan an overarching security strategy for organizational resilience.
The Present Maturity of ESRM
This significant change in the industry does not mean we are all in the same place in our risk management approaches. Today, the maturity of ESRM varies significantly across industries and organizations. Some have seamlessly integrated it into their strategic planning, viewing security risks as integral to their overall business risk landscape. These organizations have developed robust mechanisms to identify, evaluate, and mitigate risks effectively, thereby embedding a culture of risk awareness throughout their operations.
However, the journey is just beginning for others, where the adoption of ESRM principles is still in its infancy. These organizations often grapple with transitioning from reactive security measures to proactive risk management strategies. The disparity in maturity levels underscores the need for a unified understanding of ESRM's value and its implementation as a strategic business enabler. ASIS International has developed an easy guideline to help you determine where your organization site is on the path to ESRM maturity.
The Future of ESRM and the Role of Security Executives
Looking ahead, ESRM is poised to become even more integral to organizational strategy. The future will see Senior Security Executives across the cyber and physical security domains (or a single leader for both) evolving into key conveners and collaborators, bridging the gap between various internal and external stakeholders. These leaders will foster a shared understanding of risk and develop cohesive strategies that align with the organization's broader goals.
Collaborative Risk Management
The notion that "all risk is shared" is gaining traction across many business organizations, highlighting the interdependence of different risk domains within an organization. Key players in this arena include:
- Legal and Compliance
- Information Technology
- Environmental Health and Safety
- Finance
- Operations
- Security
Collaboration among these entities is crucial to break down silos and adopt a converged approach to risk management. By working together, organizations can ensure a more comprehensive and effective handling of risks, leading to enhanced organizational resilience.
Is Risk Already Converged?
Risk convergence is a phenomenon where different risks overlap and transform into new, interconnected risks. One risk in one aspect of the business can evolve into something much more significant in another aspect of the enterprise.
Security leaders must adapt to these forces to navigate the increasingly complex global environment. However, the concept of risk convergence is broader and extends beyond these specific factors. It involves understanding how various risks intersect and influence each other, affecting enterprise strategies and decision-making.
Working Across Risk Silos
Working across risk silos is crucial for effective enterprise security risk management. Silos can hinder collaboration, innovation, and decision-making. Successful leaders prioritize breaking down these barriers and leading across the organization.
Here are some critical strategies for fostering cross-functional collaboration:
- Shared Vision: Leaders must align teams around a common purpose and vision. When everyone understands the big picture, they can work together more effectively.
- Communication: Encourage open communication across departments: regular meetings, cross-functional teams, and transparent information sharing help bridge gaps.
- Empathy: Understand the challenges faced by other teams. Empathetic leaders build bridges and find solutions that benefit the entire organization.
- Collaborative Problem-Solving: When addressing complex issues, involve stakeholders from different areas. Diverse perspectives lead to better solutions.
- Incentives: Align incentives to promote collaboration. Reward cross-functional efforts and recognize achievements.
Remember, breaking down silos requires commitment and persistence. As security leaders, we must prioritize collaboration to drive organizational success.
Consensus and Collaboration
In today's interconnected business world, risks are inherently converged, affecting multiple organizational functions. For instance, a cyber-attack can simultaneously impact financial, operational, and reputational aspects, illustrating the need for a holistic Enterprise Security Risk Management (ESRM) approach. Recognizing risk convergence is vital for developing an integrated risk assessment and mitigation strategy.
Traditional risk management, often conducted in silos like I.T., finance, and operations, limits effective response to complex threats. These silos hinder proactive risk management and necessitate a cultural shift towards cross-departmental collaboration, questioning the existing organizational structures that support or impede integrated risk efforts.
Achieving risk mitigation convergence requires a strategic move towards cross-silo collaboration, employing a unified risk management framework, promoting open communication, and forming joint risk assessment teams. Regular cross-functional meetings enhance understanding and contribution to collective risk mitigation, leading to a synchronized risk management approach.
The cornerstone of successful ESRM is building consensus and fostering collaboration across all organizational levels. Leadership is crucial in advocating an integrated risk management culture, emphasizing continuous education to align risk priorities throughout the organization. This shared commitment to risk management strengthens organizational resilience, enabling an agile response to emerging risks and securing long-term success.
The Technological Edge in ESRM
Technology is pivotal in advancing ESRM practices, providing tools and insights that enable a shift from reactive to proactive risk management – both at the strategic planning and tactical response levels. Here's how technology is reshaping the ESRM landscape:
- AI and Machine Learning: These technologies are at the forefront of identifying potential security threats, offering predictive insights that help in preemptive risk mitigation.
- Publicly Available Data Streams: Leveraging these data sources enhances situational awareness and facilitates a more informed risk assessment process. Many quality data streams are available, such as crime and fire reporting, GIS information, various offender databases, weather data, and geological data.
- Integration of Physical Security Systems Data: Predictive risk in physical security relies on leveraging technology and data streams to anticipate potential threats and optimize responses.
- Building Systems Data Analysis: Monitoring and analyzing data from building infrastructure aids in identifying potential safety and security risks, further bolstering organizational security posture. Building systems data is leveraged through Automatic Fault Detection and Diagnostics (AFDD) software. When physical security data and building systems data are combined into a single pane of glass and subjected to the benefits of artificial intelligence and machine learning, we have a powerfully predictable tool set.
- Botnet and Keyword Searches (Including Dar Web): Real-time monitoring of these elements helps in the early detection of cyber and physical threats, allowing for swift and decisive pre-emptive action. Botnet detection techniques and strategic keyword searches support awareness within a holistic risk management program. Integrating botnet detection techniques and targeted keyword searches in a holistic risk management program enhances our understanding of threats and informs risk mitigation strategies.
Envisioning a Converged Risk Program
A fully integrated risk program embodies the essence of ESRM, where shared operations centers and shared responsibility and risk ownership come into play. These centers, including Network Operations Centers (NOC), Security Operations Centers (SOC), Intelligence Monitoring teams, and units dedicated to Business Continuity and Crisis Management, will operate in a mosaic under an incident command structure that can flex to cover any type of incident to provide a comprehensive response mechanism to a crisis. This collaborative model ensures efficient and effective risk management and tactical response, facilitating seamless communication and coordinated actions across different domains.
The Incident Command System and Private Sector
Is it time to consider ICS as a collaborative framework for private sector response to risk events? The Incident Command System (ICS), initially developed for emergency response in the public sector, can indeed be adapted and utilized by global organizations to enhance their response to risks and threats. Here's how:
ICS provides a framework for rapid response that includes.
- Adaptability: ICS is a flexible framework tailored to various contexts, including private sector organizations and global incidents.
- Command Structure: ICS provides a command structure for coordination, information flow, analysis, decision-making, and implementation in an authoritative and standardized manner.
- Applicability: It is used for emergency response when human health, the environment, or other resources are at risk.
Private Sector Integration:
- Whole Community Approach: Global organizations can integrate ICS principles into risk management strategies.
- Resource Contribution: Private sector organizations play vital roles in incident management. Their immediate access to commodities and services can support incident response and stabilize critical lifelines.
- Coordination and Preparedness: Using ICS principles, organizations should coordinate, train, and prepare for incidents.
- Defense-in-Depth Strategies: Adopting defense-in-depth security programs enhances control system environments.
Global Collaboration:
- Common Language: ICS serves as a "common language" of disaster response globally, facilitating collaboration across borders.
- Interoperability: Organizations can use ICS to align their response efforts, share information, and coordinate actions during international incidents.
In summary, global organizations can leverage ICS as a model for rapid response, adapt it to their specific needs, and enhance their risk management capabilities worldwide.
The Road Ahead for ESRM
The trajectory of ESRM points towards deeper integration within the strategic fabric of organizations. The future will likely witness an enhanced reliance on technology for risk prediction and mitigation, fostering a more anticipative and adaptive organizational culture toward risk management.
As we navigate the complexities of the modern business environment, the role of ESRM as a strategic pillar cannot be overstated. The security evolution from a segmented, reactive approach in siloed domains to a comprehensive, proactive framework reflects a growing recognition of the criticality of risk management in sustaining business operations and achieving strategic objectives. The journey of ESRM, fueled by technological advancements and a collaborative mindset, is set to redefine organizational resilience, making it an indispensable element of modern-day business strategy.
What Does the Future Hold
Concepts that were not even imaginable 20 years ago are a reality today. The Capabilities discussed in whispered tones five years ago are technologies we now hold in our hands. Physical Security Information Management Systems (PSIMS) were once the rage. Now AI, robotics, advanced analytics, physical security systems with high levels of integration, data lakes, and real-time information are realities. What will the next five years bring? When we merge the risk silos, we create more efficient opportunities for information sharing, collaboration, and rapid resolution to global threats. Imagine when we can see refined data streams from all risk players on a single pane of glass.
Jeffrey A. Slotnick, CPP, PSP, is President, of Setracon ESRMS and an internationally known Enterprise Security Risk Consultant with over 28 years of experience. Jeff is peer-recognized as a “Thought Leader and Change Agent. He focuses on all Enterprise Security Risk Management facets, including quality management programs, risk, vulnerability, threat assessments, Emergency Response Planning, Business Continuity Planning, and Physical Security System Master Planning, Design, and Integration. As a curriculum developer and master trainer, Jeff advocates for quality professional development and training of security and military personnel. He is a member of the North American Board for ASIS International.
As Vice President of Integrated Security Solutions at Allied Universal, Rachelle Loyear leads the Allied Universal Enterprise Security Risk Management approach to customer program development, which is dedicated to driving Allied Universal's mission of helping customers find and deploy the right combination of security professionals, policies, processes and procedures, and cutting-edge technology and data tools to secure their organizations most effectively in a world of evolving risk. Rachelle’s corporate security background focuses strongly on security risk management.